Vroom leaked personal and banking data of 27,000 Australians

31 March 2025 2 minutes Author: Newsman

Australia’s largest online car loan marketplace Vroom by YouX has been the victim of a massive leak — more than 27,000 records with driver’s licenses, banking details and even medical documents of customers were found online.

The fintech company specializing in car loans left an unprotected database without a password — scans of driver’s licenses, bank statements, documents with partial credit card numbers, as well as medical and employment data for 2022–2025 were publicly available.

  • Researcher Jeremiah Fowler reported the Vroom leak and passed the data to the Website Planet team. The company promptly restricted access, and also promised to conduct an internal audit and develop a plan to inform customers.
  • In a statement, Vroom said it has not yet identified any evidence of the data being used, but acknowledged the seriousness of the situation. Vroom has been in business since 2022 and actively collects customers’ personal and financial documents for loan approval.

However, basic protections for this data, such as passwords, multi-factor authentication, or encryption, are lacking. Experts say even partial credit card information can easily be honed by hackers from previous leaks or used in phishing schemes.

This incident is another reminder that in the world of digital data, non-existent security is the silent treatment before a strike. Vroom has not only put its customers at risk, but also its own reputation by leaving the door wide open for a potential attack.

Other related articles
News
Read more
T-Mobile to pay 33 million $ for SIM-swapping crypto wallet hack
T-Mobile will pay $33 million in compensation to a SIM-swapping victim after a cryptocurrency wallet hack. Security flaws at the carrier allowed an attacker to reissue a SIM card and bypass two-factor authentication, leading to the theft of more than 1,500 bitcoins. The court found the carrier guilty and highlighted the need to protect consumers from SIM-swapping attacks.
120
News
Read more
Millions of BDSM, LGBTQ+, and sugar dating users at risk
A large-scale photo leak from iOS dating apps has put millions of users of BDSM, LGBTQ+, and sugar dating services at risk. Through open API keys and unsecured cloud storage, attackers gained access to more than 1.5 million images, including from private chats. M.A.D Mobile Apps Developers Limited has not yet commented. The leak poses a serious threat to the privacy, security, and dignity of users in sensitive communities.
125
News
Read more
France deliberately “scammed” 2.5 million students to teach cybersecurity
France launched a unique cyber education campaign “Operation Cactus” by sending a fake phishing email to 2.5 million students. With over 210,000 clicks, students instead saw a video about the risks of online fraud, legal responsibility, and digital hygiene. The initiative turned out to be the largest educational cyber experiment in Europe, designed to teach schoolchildren to avoid online dangers through their own experiences.
129
Found an error?
If you find an error, take a screenshot and send it to the bot.